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Bit commitment protocols, whose security is based on the laws of quantum mechanics alone, 
are generally held to be impossible on the basis of a concealment-bindingness tradeoff |l|, ^]. A 
strengthened and explicit impossibility proof has been given in Ref. in the Heisenberg picture 
and in a C* -algebraic framework, considering all conceivable protocols in which both classical and 
quantum information are exchanged. In the present paper we provide a new impossibility proof in 
the Schrodinger picture, greatly simplifying the classification of protocols and strategies using the 
mathematical formulation in terms of quantum combs , with each single-party strategy represented 
by a conditional comb. We prove that assuming a stronger notion of concealment — worst-case over 
the classical information histories — allows Alice's cheat to pass also the worst-case Bob's test. The 
present approach allows us to restate the concealment-bindingness tradeoff in terms of the continuity 
of dilations of probabilistic quantum combs with respect to the comb-discriminability distance. 

PACS numbers: 03.67.Dd 



I. INTRODUCTION 

Bit commitment involves two mistrustful parties — 
Alice and Bob — of which Alice submits to Bob a piece 
of evidence that he will use to confirm a bit value that 
she will later reveal, whereas Bob cannot determine the 
bit value from the evidence alone. A good bit commit- 
ment protocol should be simultaneously concealing and 
binding, namely the evidence should be submitted to Bob 
in such a way that he has (almost) no chance to identify 
the committed bit value before Alice later decodes it for 
him, whereas Alice has (almost) no way of changing the 
value of the committed bit once she has submitted the 
evidence. In the easiest example to illustrate bit com- 
mitment, Alice writes the bit down on a piece of paper, 
which is then locked in a safe and sent to Bob, whereas 
Alice keeps the key. At a later time, she will unveil the 
bit by handing over the key to Bob. However, Bob may 
be able to open the safe in the meantime, and this scheme 
is in principle insecure. Yet all bit commitment schemes 
currently used rely on strongboxes and keys made of com- 
putations that are (supposedly) hard to perform (see Ref. 

for a list of references), and cryptographers have long 
known that bit commitment (like any other interesting 
two-party cryptographic primitive) cannot be securely 
implemented with classical information [p[. 
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Besides having immediate practical applications, bit 
commitment is also a very powerful cryptographic primi- 
tive. Conceived by Blum [^| as a building block for secure 
coin tossing, it also allows to implement secure oblivious 
transfer [0, §|, ^, which, in turn, is sufficient to establish 
secure two-party computation [T^ . 

It has therefore been a long-time challenge for quan- 
tum cryptographers to find unconditionally secure quan- 
tum bit commitment protocols, in which — very much in 
parallel to quantum key distribution |l^ — security is 
guaranteed by the laws of quantum physics alone. 

The first quantum bit commitment protocol appeared 
in the famous Bennett and Brassard 1984 quantum cryp- 
tography paper Jill , in a version for implementing coin 
tossing. However, they also proved that Alice can cheat 
using EPR correlations, by which she can unveil either 
bit at the opening stage by measuring in the appropri- 
ate basis a particle entangled with the one encoding the 
bit, whereas Bob has no way to detect the attack. Sub- 
sequent proposals for bit commitment schemes tried to 
evade this type of attack, e.g. in the protocol of Ref. 
which for a while was generally accepted to be uncondi- 
tionally secure. 

In 1996 Lo and Chau ||l|, and Mayers ||^ realized that 
all previously proposed bit commitment protocols were 
vulnerable to a generalized version of the EPR attack 
that renders the BB84 proposal insecure, a result that 
they slightly extended to cover quantum bit commitment 
protocols in general. Their basic argument is the fol- 
lowing. At the end of the commitment phase. Bob will 
hold one out of two quantum states gk as proof of Alice's 
commitment to the bit value k e {0, 1}. Alice holds its 
purification ipk, which she will later pass on to Bob to 
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unveil. For the protocol to be concealing, the two states 
Qk should be (almost) indistinguishable, Qq « Qi. But 
Uhlmann's theorem then implies the existence of a 
unitary transformation U that (nearly) rotates the pu- 
rification of Qo into the purification of qi. Since U is 
localized on the purifying system only, which is entirely 
under Alice's control, Lo-Chau-Mayers argue that Alice 
can switch at will between the two states, and is not in 
any way bound to her commitment. As a consequence, 
any concealing bit commitment protocol is argued to be 
necessarily non-binding (these results still hold true when 
both parties are restricted by superselection rules psf). 
So while the proposed quantum bit commitment proto- 
cols offer good practical security on the grounds that Al- 
ice's EPR attack is hard to perform with current tech- 
nology, none of them is unconditionally secure. 

Starting from 2000 the Lo-Chau-Mayers no-go theo- 
rem [|l|, has been continually challenged by Yuen and 
others |lq, [l7| , [l8|] , arguing that the impossibility proof 
of Ref. |I| does not exhaust all conceivable quantum 
bit commitment protocols, whereas it is still unclear if 
Mayer's framework |Q is complete. Several protocols 
have been proposed and claimed to circumvent the no-go 
theorem These protocols seek to strengthen Bob's 
position with the help of 'secret parameters' or 'anony- 
mous states', so that Alice lacks some information needed 
to cheat successfully: while Uhlmann's theorem would 
still imply the existence of a unitary cheating transfor- 
mation as described above, this transformation might be 
unknown to Alice. 

The above attempts to build up a secure quantum bit 
commitment protocol have motivated the thorough anal- 
ysis of Ref. 1^, which provided a strengthened and ex- 
plicit impossibility proof exhausting all conceivable pro- 
tocols in which classical and quantum information is ex- 
changed between two parties, including the possibility of 
protocol aborts and resets. The proof [|j encompasses 
protocols even with unbounded number of communica- 
tion rounds (it is only required that the expected num- 
ber of rounds is finite), and with quantum systems on 
infinite-dimensional Hilbert spaces. However, the con- 
siderable length of the proof in Ref. ||^ makes it still 
hard to follow (see e.g. comments in Ref. [^), lacking 
a synthetic intuition of the impossibility proof. 

The debate can be only settled with an appropriate 
formulation of the problem, which is sufficiently power- 
ful to include all possible protocols in a single simple 
mathematical object, thus leaving no shadow of doubt 
on the completeness of the protocol classification. Once 
the mathematical formulation of all protocols is settled, 
then the impossibility statement becomes just a mathe- 
matical theorem. In this paper we will first see that the 
appropriate notion to describe all individual strategies in 
a purely quantum protocol is the quantum comb. The 
quantum comb generalizes the notion of quantum oper- 
ation of Kraus p9| , and has been originally introduced 
in Ref. [Q to describe quantum circuit boards, where in- 
puts and outputs are not just quantum states, but quan- 



tum operations themselves. Since quantum combs are 
in one-to-one correspondence with sequences of quantum 
operations a quantum comb is suited to repre- 

sent the sequence of moves performed by a party in a 
multi-round quantum protocol. Indeed, the same mathe- 
matical structure of quantum combs has been recognized 
by Gutoski and Watrous in Ref. as the appropriate 
formulation of multi-round quantum games. In order to 
treat protocols that involve both quantum and classical 
communication, we will then extend this framework by 
introducing the concept of conditional comb, which de- 
scribes a computing network that is able to sequentially 
process both quantum and classical information. 

Examples of combs are represented diagrammatically 
in Fig. 1^. For a purely quantum comb, each line entering 
or exiting a tooth of the comb represents a quantum sys- 
tem. For a conditional comb, each line represents a hy- 
brid quantum-classical system, accounting also for clas- 
sical information exchanged at each step. In a two-party 
protocol, a comb represents a single-party strategy, with 
each tooth of the comb representing the move performed 
by the party at some turn. Subsequent turns are repre- 
sented by subsequent teeth, from left to right. The out- 
put oft the multi-round protocol is given by two combs 
interlaced as in Fig. |— the upper Bob's, the lower Al- 
ice's. The exchange of quantum-classical systems can be 
mathematically described in a C*-algebraic representa- 
tion of a deterministic comb, or, equivalently, by treating 
the conditional comb as a collection of (purely quantum) 
probabilistic combs, each of them being labeled by a par- 
ticular history of classical communication. In this paper, 
we will choose the second point of view, which avoids 
using the C*-algebraic framework, with the need, how- 
ever, of considering collections of probabilistic quantum 
combs, accounting for the classical information coming 
from measurements. 
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FIG. 1: Diagrammatic representation of quantum combs. 
For a quantum comb each line entering or exiting a tooth 
represents a quantum system, while for a conditional comb 
it represents a hybrid quantum-classical system. A quantum 
operation (the box on the left upper corner) is a special case 
of quantum comb with a single tooth. 

A protocol assigns the set of allowed strategies, i.e. 
the set of allowed conditional combs, along with the per- 
taining input-output structure regulating the exchange 
of quantum and classical information. As already men- 
tioned, a conditional comb is a collection of probabilistic 
quantum combs, each of them representing the sequence 
of single-party moves associated to a particular history of 
classical communication. In a general protocol, some his- 
tories will lead to a successful commitment, while some 
other will possibly lead to an abort, in which the two 
parties irrevocably give up, excluding any further com- 
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munication (if the protocol is restarted, then the con- 
catenation of the two sequences can be regarded as part 
of a new longer protocol with possible resets). Accord- 
ingly, we will consider histories from the beginning to the 
end of the commitment (which can be either successful 
or not), i.e excluding the opening. Each tooth of a comb 
corresponds to a single turn of the protocol, and, in the 
case of successful commitment, the last tooth represents 
the last turn before the opening. 

For histories that end in a successful commitment, in 
the opening Alice will send to Bob a classical message 
along with a set of ancillae prescribed by the protocol, 
and Bob will perform a suitable joint measurement on 
all quantum systems available to him, as in Fig. |. The 
combination of Bob's comb (up to the opening) with the 
final measurement at the opening is itself a special case 
of quantum comb — the so-called quantum tester — whose 
output is the committed bit value. In this framework, 
Alice's comb plays the role of a "state" encoding the bit 
value, whereas Bob's tester plays the role of a "POVM" 
for binary discrimination. Such binary discrimination — 
prescribed by the protocol at its end — should not be con- 
fused with Bob's attempts to discriminate Alice's strate- 
gies before the opening. We will see that the fact that 
the protocol has many rounds actually can help Bob in 
discriminating between different Alice's strategies. Thus, 
the probability of Bob cheating — which in a protocol with 
a single Bob-Alice-Bob round would be represented by 
the CB-norm distance between Alice's channels — here 
is replaced by the comb distance ^^ , which is typically 
larger than the CB-norm, since Bob can exploit the mem- 
ory structure of Alice's strategy. 



FIG. 2: A two-party protocol in which classical and quantum 
information are exchanged assigns the set of allowed condi- 
tional combs, along with the pertaining input-output struc- 
ture. A conditional comb is a collection of quantum combs 
labeled by histories of classical communication, each quantum 
comb representing a specific sequence of single-party moves 
for a particular classical history. Each tooth of a comb cor- 
responds to a single turn of the protocol, the last one rep- 
resenting the last turn in the commitment phase. For his- 
tories ending in a successful commitment, at the opening 
Bob performs a joint measurement on all systems available 
to him. Combining Bob's comb before the opening with this 
final measurement yields a special case of quantum comb — 
the so-called quantum tester — whose output is the committed 
bit value. In this framework, Alice's comb plays the role of 
a "state" encoding the bit value, whereas Bob's tester plays 
the role of a "POVM" for binary discrimination. Such binary 
discrimination — prescribed by the protocol at its end — should 
not be confused with Bob's attempts to discriminate Alice's 
strategies before the opening. 

In the following we will consider the concealment- 



bindingness tradeoff for any possible history of classi- 
cal information exchanged within the protocol. This 
will allow us to restate the tradeoff in terms of a math- 
ematical theorem assessing the continuity of dilations 
of probabilistic quantum combs in terms of the comb 
discriminability-distance. The dilation theorem states 
that any probabilistic comb can be dilated to a sequence 
of single-Kraus quantum operations, upon introducing 
some additional ancillae. As a consequence, the impossi- 
bility proof will run essentially as follows. At the end of 
the commitment phase, two possible Alice's strategies for 
the bit values and 1, respectively, are (almost) indistin- 
guishable to Bob, who lacks the quantum information en- 
coded in Alice's ancillae. Instead, at the opening, the two 
dilated strategies of Alice corresponding to the two values 
of the committed bit are (almost) perfectly discriminable. 
As a consequence of indstinguishability up to the open- 
ing phase, Alice can choose between the two strategies 
by performing a unitary transformation on the ancilla in 
the last tooth of her comb. Therefore, one has (almost) 
perfect opening, and, at the same time, Alice can cheat 
perfectly. The concealment-bindingness tradeoff is thus 
reduced to the continuity of the dilation of probabilistic 
combs in terms of their discriminability-distance. In the 
present paper we will restrict to finite-dimensional proto- 
cols, with finite-number of rounds. The last assumption 
does not introduce any practical limitation, since, in the 
real world one needs to put a bound anyway to the lapse 
of time needed for the commitment. We will anyway dis- 
cuss also protocols with unbounded number of rounds in 
the concluding section. 

Before starting the main sections of the paper, we com- 
pare here the present approach with that of the previ- 
ous impossibility proof in Ref. Ref. treats 
the strategies as the preparation of a quantum regis- 
ter, and classical and quantum communications are de- 
scribed in the Heisenberg picture in the unified frame- 
work of C*-algebras. In the present approach the C*- 
algebraic framework is avoided, by treating classical his- 
tories as labels for sequences of quantum operations in 
the Schrodinger picture, and strategies are identified 
with conditional quantum combs, which provide a di- 
rect mathematical formulation. At this level, the differ- 
ences are only in the mathematical language, but two 
approaches are substantially equivalent. There are, how- 
ever, conceptual differences, in which the two approaches 
sensibly differ. The most relevant difference is the no- 
tion of security, which in the present treatment is taken 
at the strongest level, i.e. worst-case over all classical 
histories, whereas in Ref. security was defined in av- 
erage. The present security notion is cryptographically 
the strongest, corresponding to a priceless commitment 
bit. Another important difference between the present 
approach and that of Ref. is a more general impos- 
sibility proof, in which one can restrict the set of possi- 
ble Bob's operations to a set closed under dilations. In 
other words, we assume that Bob is able to keep pure 
his quantum information and to perform arbitrary quan- 
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turn operations on his ancillae, whereas his operations on 
the quantum systems exchanged during the commitment 
can be restricted by arbitrary constraints. This makes 
the impossibihty proof more general, including e.g. the 
case of a Bob constrained by a checking Alice. 

The paper is organized as follows. In section ^ we re- 
view the definition and the main features of a quantum 
protocol for bit commitment, and define what a success- 
ful bit com mitment protocol would have to achieve. In 
Section III we will briefly recall the prerequisites about 
quantum combs, including the notion of quantum tester, 
the discriminability-distance, the dilation of combs, and 
the notion of conditional comb. The most important re- 
sult of the section is the dilation theorem for quantum 
combs, along with a continuity theorem in terms of the 
discriminability-distance. In Section ^ we present the 
mathematical formulation of bit commitment in terms of 
quantum combs, and state the impossibility proof for pro- 
tocols with bounded and unbounded number of rounds 
of communication. The analysis will be based solely on 
the principles of quantum mechanics, including classical 
physics, but not including relativistic constraints, which 
are known to facilitate secure bit commitment [ESl G4|. 



Section VI concludes the paper with some comments on 



the main results. 



II. WHAT IS A PROTOCOL 

A protocol regulates the exchange of messages between 
participants, defining what are the honest strategies that 
they can adopt, so that at every stage it is clear what type 
of message is expected from the participants, although, of 
course, their content is not fixed. The expected message 
types can be cither classical or quantum or a combination 
thereof. The number of classical states and the dimension 
of the Hilbert spaces at a given step can depend on the 
previously generated classical information. 



A. Phases of the Protocol 

In any bit commitment protocol, we can distinguish 
two main phases. The first is the commitment phase, 
in which Alice and Bob exchange classical and quantum 
messages in order to commit the bit. Eventually, this 
phase can end either with a successful commitment, or 
with an abort, in which the two parties irrevocably give 
up the purpose of committing the bit (of course, in a well- 
designed protocol, if both parties are honest the proba- 
bility of abort should be vanishingly small). If no abort 
took place, the bit value is considered to be committed 
to Bob but, supposedly, concealed from him. Since bit 
commitment is a two-party protocol and trusted third 
parties are not allowed, the starting state necessarily has 
to be originated by one of the two parties (see also Fig. 

Moreover, since we can always include in the protocol 
null steps (in which no information, classical or quantum. 




FIG. 3; The bit commitment protocol is two-party only, and 
trusted third parties are not allowed. Here in figure rounded 
portions represent examples of trusted third parties, e.g. the 
left one could be a trusted joint state, and the right one a 
trusted joint measurement. Another example of third party 
could be a third comb interlaced with Alice's and Bob's. 



is exchanged), without loss of generality, we can restrict 
our attention to protocols that are started by Bob. 

The second phase is the opening phase. In the case 
of abort during the commitment, this is just a null step, 
whereas, in the case of successful commitment, at the 
opening Alice will send to Bob some classical or quantum 
information in order to to reveal the bit value. Taking 
both Alice's message and his own (classical and quan- 
tum) records. Bob will then perform a suitable verifica- 
tion measurement. His measurement will result in either 
a successful readout of the committed bit, or in a fail- 
ure, 6.17. due to the detection of an attempted cheat. 
Again, in a well-designed protocol the probability of fail- 
ure should be vanishingly small. 



B. Conditions on Successful Protocols 

In the following we will denote by ao and ai two hon- 
est strategies corresponding to the two bit values and 
1, respectively. We call a protocol e- concealing if, condi- 
tionally on any history of classical communication. Bob 
cannot distinguish between the strategies ap and oi (up 
to an error e) before Alice opens the commitment. In gen- 
eral, of course, the probability of a given history of clas- 
sical communication depends on whether Alice chooses 
ao or ai. Since this dependence can be exploited by Bob 
to infer the bit value, we must require that, no matter 
what strategy h Bob uses, the conditional probability of 
ao given history s never differs from the probability of oi 
given history s by more than e. Note that this require- 
ment must by satisfied even by histories that end up in 
an abort, otherwise, by the sole fact that the protocol 
aborted Bob could reliably infer the value of the bit. 

We say that an Alice's strategy a" is 5-close to a if, 
conditionally on any history of classical communication, 
Bob cannot distinguish a from a" (up to an error 5) at 
any time, including the opening phase. Given two honest 
strategies ao and ai, a 5 -cheating is a pair of strategies 
af, and a\, with the properties that i) a\ is (5-close to 
for i = 0, 1 and ii) Alice can turn Oq into a\ with a local 
operation on her ancillae after the end of the commitment 
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phase. In other words, the strategies Oq and a\ are the 
same throughout the commitment phase, and differ only 
by a local operation carried out before the opening. If no 
(5-cheating strategy exists for Alice, we call the protocol 
S -binding. 

III. PREREQUISITES ON QUANTUM COMBS 



B. Quantum combs 

A quantum comb describes a sequential network of N 
quantum operations with memory ('%)^^^, with N — 
1 open slots in which variable quantum operations can 
be inserted, as in Fig. 0. The comb is in one-to-one 



Here we briefly summarize the formalism of quantum 
combs and few related results. In addition, this section 
contains the core result of this paper, namely the conti- 
nuity theorem for the dilation of probabilistic quantum 
combs in terms of their discriminability-distance. 



A. Choi-Jamiolkowski operators and link product 

A quantum operation (trace non-increasing CP-map) 
from states on Hi to states on Hj is described by its 
Choi-Jamiolkowski operator 



(1) 



where J^i is the identity map on Hi, and \Ii)) e Tif^ is 
the maximally entangled vector = J2n l*^)!"); Il'^)} 
orthonormal basis for Hi. By the Choi's theorem, the 
map 'rf is CP if and only if the Choi-Jamiolkowski oper- 
ator is positive (semidefinite) . In general, we will often 
exploit the one-to-one correspondence between bipartite 
states in \F)) e Hj ® Hi and operators F from Hi to Hj 
given by 



\F)) = {F®hm), 

and the useful relation 



(2) 



(3) 



F'^ denoting the transposed of F with respect to the or- 
thonormal basis If is a quantum operation from 
Hi to Hj and ^ is a quantum operation from Hj to Hk , 
the Choi-Jamiolkowski operator of the quantum opera- 
tion ^'rf, from Hi to Hk, resulting from the connection 
of 'ta and is given by the link product H] 



D * C -.^ Tr,[{D (g, I,)ilk (g) C^')], 



(4) 



Tij and Tj denoting partial trace and partial transpose 
on Hj, respectively. A quantum operation is trace- 
preserving (i.e. it is a channel) if and only if it satisfies 
the normalization condition 



(5) 



Viewing quantum states as a special kind of channels 
(with one-dimensional input space), Eq. (0) yields 



<^{p)^C*p = Tn[CiIj^P^)]. 



(6) 



FIG. 4: A'-comb: sequential network of quantum opera- 
tions with memory. The network contains input and output 
systems (free wires in the diagram), as well as internal mem- 
ories (wires connecting the boxes). 

correspondence with the the Choi-Jamiolkowski operator 
R of the network, which can be computed as the link 
product of the Choi-Jamiolkowski operators {Ck)k=^Q- 



R:=C 



0- 



(7) 



input (output) spaces of 'ifk as 
we have that i? is a non-negative 



Labelling the 

H2k {H2k+l), 

operator on /C .— \<yj=o 

For networks of channels the operator R has to satisfy 
the recursive normalization condition jj, |2l) 



Tr- 



2k-l 



[R 



(fe)l _ 



-2fc-2 



R 



(fe~i) 



k = l. 



,N (8) 



where := i?, i?^^) e Lin (^^flo^ Hj\ and = 1. 
Moreover, one has the characterization |j, 

Theorem 1 Any positive operator R satisfying Eq. 
is the Choi-Jamiolkowski operator of a sequential net- 
work of N channels. Any positive operator R' such that 
R' < R is the Choi-Jamiolkowski operator of a sequential 
network of N quantum operations. 

We call a quantum comb R satisfying Eq. (||) determin- 
istic, and a comb R' < R probabilistic. 



C. Dilation of quantum combs 

By Stinespring-Kraus-Ozawa theorem|l^, |2^, any 
quantum operation from states on Hi to Hj can be 
dilated to an isometric map followed by a post-selection 
on an ancilla 



'^{p)^Tya[{I<E>Pa)VpV^] 



Pa)V, 



(9) 



with V isometry from Hi to Hj^HA, and Pa orthogonal 
projector on a subspace of the ancilla space Ha- 
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We refer to the single-Kraus map 
^(p) := KpK'^ 



(10) 



as to a dilation of the quantum operation . In terms of 
Choi-Jamiolkowski operators, one has 



(11) 



where C — \KJ){{K\ is the Choi-Jamiolkowski operator 
of the dilation. A (minimal) dilation of the quantum 
operation ^to has ancilla space Ha — Supp(C) C Tij ® 
"Hi := Ti-ij, and Choi-Jamiolkowski operator 



C = |C5))((C'|eLin(Wy®HA). 



(12) 



In particular, when the quantum operation is a quantum 
channel also its dilation is a channel — '^{p) = VpV'' , V 
isometry — with the Choi-Jamiolkowski operator satisfy- 
ing the normalization condition Tr^j [C] = li. 

Since a quantum comb R G Lin (/C) with /C — 
0j=o^^ represents a sequential network of quantum 
operations, one can always obtain a dilation of the comb 
by dilating each quantum operation in the network. A 
useful dilation of R is given by 



(13) 



where Ha — Supp(i?) C /C. The dilation R has the fol- 
lowing interpretation: i? is a quantum comb acting on the 

Hilbert spaces [Hj] , where 'H2N-1 '■= 'H2N-i®'Hai 

and Hk ^ Uk ior k < 2N ~ \. Therefore, by Theorem |l| 
it represents a sequence of N quantum operations with 
memory i'^k)k=o ■ Tracing out the ancilla space Ti.A in 
the output 'H2N-1 = 'H2N-1 "Ha of the last quantum 
operation "t^n-i, one then obtains back the original net- 
work 



R = Tr^ R 



(14) 



Note that only the ancilla space TCa in the output of the 
last quantum operation appears in the dilation R. 

For quantum states it is known that the purification is 
unique up to partial isometries on the ancilla spaces. For 
quantum combs one has the straightforward extension: 



Proposition 1 Let R E Lin(/C), /C 



be 



a quantum comb. Let R e Lin (/C ® "Ha) cind R' e 



L\n (IC iS> Ti-A') be two dilations of R, 



R and R' 



both non-negative rank-one operators such that 



Tta R 



Tr. 



R' 



(15) 



Then there exists a partial isometry W from TLa to TLa' 
such that 



i?' = {L ®W)R{I ®W'^), 
R= {I®W^)R'{L®W), 
L denoting the identity on K,. 



(16) 



For the application to bit commitment it is crucial to 
note that all dilations of a comb can be obtained by just 
applying a partial isometry W on the last output system. 
An obvious consequence of the above fact is: 



be 



) T-La) and R! G 



Corollary 1 Let i? e Lin(/C),/C 

a quantum comb. Lf R E Lin (/C < 
Lin (/C (8" Ti-A') are two dilations of R, then there exist two 
quantum channels § from states on TLa to states on TLa' 
and ^ from states on "Ha' to states on TLa such that 



R' = {.y ®S){R)^E*R 
R^iJ [R') ^F*R', 



(17) 



denoting the identity map on /C, and E and F being 
the Choi-Jamiolkowski operators of the channels § and 
,^ , respectively. 

This means that one can switch from one dilation to an- 
other just by performing some physical transformation 
on the ancilla in output of the last quantum operation of 
the comb. As we will see in the following, in a bit com- 
mitment protocol this implies that Alice can delay her 
choice of the bit to the last moment before the opening. 



D. Quantum testers 

A tester represents a quantum network starting with 
a state preparation and finishing with a measurement. 
When such a network is connected to a network of N 
quantum operations as in Fig. |^, the output is a mea- 
surement outcome i with probability pi. In a bit com- 
mitment protocol, a dishonest Bob will perform a tester 
to distinguish Alice's strategies before the opening. 




"^0 



^1 




FIG. 5: Testing a network of A'^ quantum operations {^k)^^^ ■ 
The tester consists in the preparation of an input state po, 
followed by quantum operations {i^i, . . . , i^jv_i}, and a final 
measurement {Pi}. 



Mathematically, the tester is the collection of Choi- 
Jamiolkowski operators {T,} given by 



:= * Dat-i * • • • * Di * po, 



(18) 



where {Dkfk^x are the Choi-Jamiolkowski operators of 
the quantum operations {Sfk)^!^ ^^S- ||- If the sum 
over all outcomes T = Ti is a deterministic comb, we 
call the tester normalized. 
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When the tester is connected to a quantum network 
R, the probabihty of the outcome i is 



(19) 



which is nothing but the Born rule, for quantum net- 
works rather than states. Notice that one can include 
the transpose in the definition of the tester, thus getting 
the familiar form of the Born rule pi ~ Tr[TiR]. How- 
ever, here we preferred to write probabilities in terms of 
the combs R and Ti of the measured and measuring net- 
works, respectively, thus making explicit that the Born 
rule is nothing but a particular case of link product, the 
transpose appearing as the signature of the linking of two 
networks. 

For a deterministic comb R and a normalized tester 
{Ti} one has the normalization of the total probability: 



j2p, = j2nT[R]^i. 



(20) 



In general, if one considers sub-normalized testers, one 
has 



(21) 



In the following we will call T = Ti tester operate 



Proposition 2 (Decomposition of testers ]22[ ) Let 

T G Lin(/C),/C — (S'j^o ^'^j tester operator of 

the quantum tester {Ti}. Let Hb be the ancilla space 
T-Lb — Supp (T) C /C, and T he the dilation given by 

f =\T^)){(T^\eL\n{n®nB). (22) 

Then, one has the identity 

f [T'']5i?[T^]l . (23) 

Moreover, the probabilities of outcomes pi — Ti * R are 
given by 

p,^P,*f*R, (24) 

where {Pi} is the POVM on Hb defined by 

P^^T--2 T,T-i, (25) 

T^^/^ being the inverse ofT^^^ on its support. 

Proof. Checking Eq. ( |2^ ) is immediate using Eq. (||) 

f*R = Trn[{R' ®Ib)0)){{T-2\] 

1 1 (26) 

Regarding Eq. (p4|), one has p, ^ T, * R = Tr[i;-"i?] = 
Tr[[T^]^ P.[ [T^]^ R] = TT[P[{f *R)]=P,*f*R. ■ 

The interpretation of the above result is the following 
realization scheme for the tester {Ti}: 



• realize the quantum network T and connect it with 
the measured network R 

• conditionally on the given history of classical in- 
formation corresponding to T, perform the POVM 
{Pi} on the ancilla state p — T * R. 



E. Discriminability of combs 

Proposition ^ reduces any measurement on quan- 
tum network i? to a measurement on a suitable (sub- 
normalized) state p — T * R, which is obtained by con- 
necting the input comb R with a suitable comb T cor- 
responding to the dilation of Eq. (p^). In particular, it 
reduces the discrimination of two networks i?o and Ri to 
the discrimination of two output states 



Pt 



^''^ - T*R,^ [r]^ R, [T'^Y 



0,1. 



(27) 



This allows for the definition of an operational distance 



between networks 22 , whose meaning is directly related 



to statistical discriminability 



II -Ri — -Roll 



(1) 



sup II 

T 



Pt 111 



sup||T* -i?o)||i 

T 



(28) 



sup 

T 



[T-]HRi^Ro)[T^]^ 



where twe supremum is taken over the set of all tester 
operators T = Y.^T^, and ||A||i = Tr|^|. Remarkably, 
the above norm can be strictly greater than the cb-norm 
of the difference — of the two multipartite channels 
p2t , since a sequential scheme such as that in Fig. ^ can 
achieve a strictly better discrimination than a parallel 
scheme where a multipartite entangled state is fed in the 
unknown channel. 

When the tester T and the combs Ri are probabilistic 
(namely correspond to networks of quantum operations) 
the states =T*Ri are generally sub- normalized, i.e. 
Tr[p^^] < 1. In this case, the sole fact that the sequences 
of quantum operations represented by T and Ri took 
place helps in discriminating between Rq and Ri. To be 
concrete, consider the scenario in which Rq and Ri have 
flat prior probabilities ttq = tti — 1/2. The probability 
that the sequence of operations represented by T and Ri 
takes place is then given by p{T,Ri) — Tr[p^'']/2. Since 
this probability depends on z, upon knowing that the 
sequence of quantum operations T took place the initial 
flat prior must be updated to 



7:l^p{R,\T)^ 



Tr[p«] 



PiT,R^) ^ 

p{T) Tr[p^")-fp«] 



(29) 



The discrimination is now between the two conditional 



states p^^ 



with prior probability tt^, i = 0, 1. 
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Therefore, the maximum success probabihty is given by 



(30) 



Accordingly, we introduce the comb discriminabihty "dis- 
tance" 




sup 
T Tr 



(0) 

■ Pt 



sup 

T Tr[r*(i?i+i?o)] 



(31) 



sup 

T 



[r-]M^i-i?o)[TT- 



Tr[r-(i?i + Ro)] 



where sup' (and consistently inf') denotes the supremum 
(infimum) restricted to the tester operators T such that 
Tr[r'^(i?o + Ri)] > 0. Here and in the following, we use 
the word " distance" informally, although for probabilistic 
combs the function d is just a semi-metric, namely the 
triangular inequality does not hold (e.g. consider the 
states p = 1/2(|0)(0|), cr = 1/2(|1)(1|), and r = J/2, for 
which d{p, a) > d{p, r) -t- dir, cr)). 



1. Discriminability with a restricted set of testers 

The comb distance quantifies the performances of the 
best scheme among all possible sequential schemes one 
can use to discriminate between two quantum networks. 
However, in a bit commitment protocol the set of schemes 
that Bob can actually use for discrimination may be lim- 
ited by several factors. For example, Alice could perform 
random checks during the commitment phase in order to 
force Bob to use a quantum network that is close to the 
one prescribed by the honest strategy. We will therefore 
define optimal discrimination between Rq and i?i rela- 
tively to a restricted set T of tester operators that can 
actually occur in the protocol, thus introducing the dis- 
criminability "distance" 



d{Ri,Ro)\j := sup' 



(0) 

Pt 



TeT Xr 



Pt 



(0) 

Pt 



sup 



[T-]^ {Ri-Ro)[T^] 



(32) 



Tr[r-(i?i+i?o)] 



The restriction of possible testers to a general set implies 
that the distance defined in Eq. ( ^2| ) does not satisfy the 
property d{x, y) = ^ x = y. 



Lemma 1 The discriminability distance in Eq. ( p^ ) is 
monotone under the application of a channel on the ouput 
spaces, namely 

d{{^ ® An)RlA'^ ® An)R^)\j < d{R,,Ro)\j. (33) 

Proof. Use monotonicity of trace-distance and the fact 
that the map ^ is trace-preserving. ■ 



F. Continuity of dilation 

We now prove that if two quantum combs Rq and Ri 
are close to each other then there exist two dilations Rq 
and Ri that are close with respect to the discriminabil- 
ity distance. Such continuity theorem replaces the Stine- 
spring's continuity theorem pTf used in the previous (C*- 
algebraic) impossibility proof of Ref. [|| . 

Lemma 2 (Continuity of dilation) Let Ro,Ri E 

— 1 i 

Lin(/C) be two quantum combs, Ri — S 

Lin (/C (g) Ha) , 'Ha — IC be two dilations, and T C Lin (/C) 

be an arbitrary set of tester operators T . The following 

bound holds 



ini d(Ri,{I®V){Ra) 



T®/ 



< j2d(i?o,i?i)lT (34) 



where T ® I — {T ® I\T e T} and the infimum is 
taken over the set of random unitary channels V{p) = 
J2kPk UkpUl acting on the ancilla Ha- 



Proof. If we define 



Ri~ {I (E)Uk)Ro{I<E)Ul) 
Tr[(i?o + Ri) * T] 



(35) 



we have 



= inf sup' 



inf d(i?i,(J®P)(i?o 
The triangle inequality for the trace-norm yields 



k 

(36) 



Moreover, exploiting Eq. ( p3| ) we can write 
Ac/, 



(37) 



(38) 



where ^'^ / and c/fc ^'"^ defined by 



I* 



- T,C 

(^) « 
T,C» 



't,c\ 



{[T-]^®C)\RJ)) 
v/Tr[(i?o -t- Ri)T-] 



(39) 
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for C e Lin (Ha) any contraction. Using the bound 

<(II^II + II^II)'(HP + II'/'|P-2|(^|^)|), 
which for HV'lP + II'pII^ = 1 becomes 

lll^)(V'|-|^)MII?< 2(1-21(^1^)1), 

we obtain 



(40) 



(41) 



(42) 



Then, by Jensen's inequahty we have the following bound 
V2inf sup'^Pfc (l - 2|((*^'^^|^ 



TeT 



< 



\/2inf sup' 1 - 2^pfc I ((^W 1^(0) 



T,U, 



V2 inf sup' 1 

-P TET \ 

V2inf sup' (l - 




(43) 



2 ((4^ii4"L>: 



< 



A/2inf sup' f 1 - 2Re{{^^^\\^%))] ' , 



where C is the contraction C — "^f^PkUk- Let us define 
by C the compact convex set of all contractions C — 
'^f.PkUk, and define the following function on C x T 



fiCT) :=Re((4)|4°b), 



(44) 



In Appendix ^ we use Sion's minimax theorem of Ref. 
p8[ to prove the identity 

inf ' sup /(C, T) = sup inf '/(C, T). (45) 

The chain of inequalities proved until now gives 

M d(Ri,{I(g)V)iRo)) < \/2(l -2sup inf '/(C,r))^ 

V \ / T c TeT 



= V2 l-2inf' sup /(C,T) = 

TeT c 



<V2{l - 2inf 'sup/(C/,r) 

TeT u 



(46) 
(47) 



where we substituted the supremum over contractions 
C ~ J2kPkUk with the supremum over unitaries U, since 
the function /(T, C) is linear in C. Moreover, we have 



sup /(T, U) = supRe((*^°^^|/ (g, C/l^-^'^^)) 
u c/ ' ' 



,(1) ' 



where i 



0. 1 denote the unnormalized states 



pip ■= [T-^]^ R,[T'']^ and F{p,(j) = supy Tr[p^[/cr5] 
is the Uhlmann fidelity. Finally, we can use the Bures- 
Alberti-Uhlmann bound 



Tr[p + (7]-2F(p,(7)< |lp-a||i 



to obtain 



inf (i(i?i,(J®P)(i?o) 



V2sup' I 1 - 2- 
TeT 



< 



(49) 



(50) 



F 




,p'?) 


■)■ 


Tr 




^p'^\ 





< sup' 
TeT 



G. Conditional quantum combs 

A general two party protocol entails the exchange 
of both quantum systems and of classical information, 
which is in principle openly known. Therefore, the strat- 
egy of a party will result in a sequence of quantum op- 
erations ^,2^^:;', fc = 1, 2, . . . , TV, as in Fig. ||. Here the 
index i2k-i denotes the outcome of the quantum opera- 
tion, and the string si represents the full history of clas- 
sical information exchanged before the occurrence of the 
operation, namely si = igii . . - ii, with i2k-2 representing 
the input classical information at step k. For example, if 























*2JV-1 

















FIG. 6: Sequence of quantum operations depending on pre- 
viously exchanged classical information. Here i2fc-i is the 
outcome of the fc-th quantum operation, and si = ioii ■ . - ii 
is the history of classical information available at step I. The 
collection of all sequences corresponding to all possible clas- 
sical histories is the conditional comb. 



the comb in Fig. ^ represents Alice's strategy in a two- 
party protocol with Alice's and Bob's combs interlaced 
as in Fig. ||, it describes the following situation: Alice 
receives from Bob the classical information zq = sq along 
with a quantum system with Hilbert space Ti-so- Then 
she performs the instrument J^"" = obtaining the 

outcome j = ii. After that she sends to Bob the out- 
come along with a quantum system with Hilbert space 
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Tisi with si = ioii- The normahzatioii of the instrument 
is 

E Ti-H., rC (/^)] = Tr[p], Vso, Vp e Lin (W, J , (52) 

which, in terms of Choi-Jamiolkowski operators reads 

ETr^.JCl-^^o Vso. (53) 

h 

At the next step Ahee receives from Bob the classi- 
cal information 12 along with a quantum system with 
Hilbert space Ti^ai which depends on S2 = Jo* 1*2- Then 



she performs the instrument J^*^ 



^} obtaining 



the outcome j = 13, and so on. By linking the Choi- 
Jamiolkowski operators of all quantum operations, one 
obtains a family of probabilistic combs {^S2iv-i} satisfy- 
ing the normalization conditions 



(fe) 1 

S2k-2'i2k-l -I 



can be realized with a network of N channels {'^k)k=o 
as in Fig. ^. Now, if we apply the von Neumann- 
Liiders measurements {Is2k ® \s2k){s2k\} on the input 
space 7i2fc before channel "^fe, followed by {Is2k+i ^ 
|s2fc+i) (s2fc+i 1} on the output space 7i2fc+i after chan- 
nel "^k, we obtain the conditional quantum operations 
1 Denoting by Cf^*" the Choi-Jamiolkowski op- 
erator of the quantum operation '^^^^^'^ we then have 



i2k+l 

i.e. 



Rs2N-i is the 



Choi-Jamiolkowski operator of the sequence of quantum 
operations {"^-^^^^^=0^ as in Fig. | ■ 

In the following we will consider the dilation of a condi- 
tional comb {-Rs2jv-i} defined as the collection {Rs2n-i} 



of dilations i?s2„_i G Lir 



2N-1 nj 

=0 ^'^ 



each comb i?. 



e Lin 



where T-La , 



of 



is an ancillary space depending on history. The follow- 
ing theorem guarantees that the dilation of a conditional 
comb is still a conditional comb. 



where R 



(AT) 



f?^^^ 



and i?*^"-* = 1. Eq. (jsj) is the mathematical represen- 
tation of the most general strategy in an A^-round proto- 
col with exchange of classical and quantum information, 
generalizing the game theoretical framework introduced 
by Gutoski and Watrous (2l] for protocols involving only 
exchange of quantum systems. We will call the collection 
of probabilistic quantum combs satisfying Eq. (^) a con- 
ditional comb. This nomenclature reflects the fact that 
the most general way of conditioning a quantum comb 
needs to use at each step the information coming from 
all previous steps. 

Eq. (jsj) sets a one-to-one correspondence between 
single-party strategies in a protocol and conditional 
combs: indeed, a collection of positive operators satis- 
fying Eq. (^^ can always be realized by a sequence of 
quantum instruments conditioned by classical informa- 
tion, as in Fig. (||). This fact is proved in the following 
proposition. 

Theorem 2 Any conditional comb is the collection of 
Choi-Jamiolkowski operators of a sequential network of 
N conditional instruments as in Fig. 

Proof. Suppose that a collection of operators {Rs2n-i} 
labeled by classical strings S2JV-1 = ioH ■ ■ ■ *2Ar-i satis- 
fies conditions Eq. (|5^). Then, we can define the operator 

-R E ^^2N-l ® \s2N-l){s2N-l\ 

S2JV-1 (55) 

|s2Ar-2)(s2Ar-2| «> • • • |so)(so|. 

Here, R acts on the tensor product JC :— {S'j=o ^"^i^ 
where the j-th space is Tij := (®sj '^^j ® kj)^ With 
this definition, i? is a deterministic comb, i.e. an oper- 
ator satisfying Eq. (|^). Therefore, by Proposition]^ R 



Theorem 3 For any conditional comb {Rs2n-i} 

~ ~ i i 

lation {Rs2n-i} defined by iJ^sN-i := I^l2iv-i» ((-Rs2iv-i I 
is a conditional comb. 



Proof. Define U' 



:= Ks 



'Ha,s 



and 



n'^^ = Tisi for ? < 2A^ - 1. Then, the opera- 
tors {Rs2N-i} form a conditional comb with i?s2„_j g 

The dilation of a conditional comb describes as a se- 
quence of single-Kraus quantum operations, each of them 
depending on the previously exchanged classical infor- 
mation. Loosely speaking, this theorem means that the 
"quantum part" of any strategy can be purified until the 
end of the protocol, still resulting in a valid strategy. 



IV. COMB FORMULATION OF THE 
QUANTUM BIT COMMITMENT 

A (generally multiparty) protocol establishes which are 
the honest single-party strategies. A strategy is a choice 
of processing of classical/quantum information at each 
step, and specifies which quantum instrument a party 
will perform jointly on his ancillae and on the received 
quantum systems, conditionally on the available classical 
information. The honest strategies of the protocol fix 
the communication interface among parties, consisting of 
the complete specification of which classical and quantum 
systems are exchanged at each step. A cheating strategy 
can be any strategy that conforms to the communication 
interface. 

A definition of security of a protocol generally depends 
on the specific goals of the involved parties. For the quan- 
tum bit commitment a protocol is defined as perfectly 
secure if the following conditions are satisfied: 
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concealment: for all Alice's honest strategies Bob 
cannot read the committed bit before the opening; 

bindingness: for all honest Bob's strategies Alice 
cannot change the value of the committed bit with- 
out being detected. 

Note the asymmetry between the security condition for 
the two parties: on the one hand, security for Alice means 
that Bob has no chance at all to read the bit, while, one 
the other hand, security for Bob means that if Alice tries 
to cheat, she will be surely detected. Perfect security is 
relaxed to the case of e- concealment and S -bindingness, 
where the probability for Bob to read the committed bit 
is bounded by e, and the probability for Alice to change 
the bit value is bounded by S. 

In the following subsections we will formulate strate- 
gies in terms of quantum combs, and evaluate the prob- 
abilities of successfully cheating for both parties. 



A. Alice's and Bob's strategies 

As already noticed, there is no loss of generality in con- 
sidering bit commitment protocols started by Bob. With 
the letter k = 1, . . . ,N we will denote the fc-th Bob's 
and Alice's step. Thus si = iqIi . . .ii will represent the 
history of classical information with 12^-1 denoting the 
outcome of Bob's quantum operation at step k (which 
is the same as Alice's classical input at Alice's step k) 
and i2fe-2 for fc > 1 represents Bob's input classical in- 
formation (which is Alice's outcome at step k — 1). At 
the beginning of the protocol there is no classical and 
quantum information, whence sq = io is the null string 
and Tio = C. At the end of the commitment stage we can 
assume without loss of generality that Alice performs the 
last move (for a protocol where the last move is Bob's, 
we can always add a null move, in which no classical and 
quantum systems are sent). 

We now analyze the case in which the total number of 
steps in the protocol is bounded uniformly over all pos- 
sible histories, and denote by N the maximum number 
of steps. Moreover, since we can always add null moves, 
we consider without loss of generality protocols where 
the number of steps is N independently of the history. 
Therefore the classical history labeling the sequence of 
quantum operations will be S2n for Alice, and S2N-1 for 
Bob. Finally, by adding null steps we can decide without 
loss of generality that in the last move before the open- 
ing Alice performs just a local operation on her ancillae, 
i.e. she does not send to Bob any classical or quan- 
tum information. Accordingly, i2N is the null string, and 
'Hs2N = *^ for any history S2n- Since both io and i2N are 
null strings, we have S2n = S2N-1 = *i*2 ■ • ■ i2N-i- 

We denote by Aq and Ai the sets of honest strategies 
that Alice can use to encode bit val ues and 1, respec- 
tively. According to Subect. 



IIIG 



a possible strategy 
in Ai is a conditional quantum comb {Ai^g^^^}, where the 



index S2n labels a history of classical information ex- 
changed between Alice and Bob. For each history S2n, 
Ai^s^N is a probabilistic comb on /Cs2iv '^a,s2n i where 
JCs2N = Lin ^®^=i "^sj^ is the Hilbert space of all quan- 
tum systems exchanged in the protocol and 'Ha,s2n is the 
Hilbert space of Alice's private ancillae at the last step 
of the commitment phase. 

We denote by B the set of strategies (honest or not) 
that are available to Bob. The set B can be the whole 
set of strategies compatible with the communication in- 
terface, or a restricted subset. The only assumption here 
is that if B contains a strategy, then it contains also its 
dilations. The reader should then regard B as a param- 
eter of his own choice for the rest of the paper: the im- 
possibility proof will state that if the protocol is con- 
cealing for a Bob restricted to B, then it is necessarily 
not binding for Bob restricted to that subset. An ele- 
ment of B is a collection of probabilistic quantum combs 
{Bs2M-i}- For each history S2N-1, Bg^j^ -^ is a comb on 

K.S2N-1 '^'Hb,s2n-i: where ICs2n-i ■= ®]=o^'^s^, and 
T^B,s2N^i is the Hilbert space of Bob's ancillae at the last 
step of the commitment phase. Note that, since Tisa — 



Hs2N = C, one has /Cg^^ ~ /Csajv 



In the following we focus on the last step N before the 
opening. Since the step is fixed, we will drop the sub- 
index 2N {2N ~ 1) labehng Alice's (Bob's) history. For 
the history s, the overall (unnormalized) state resulting 
from Alice and Bob playing the strategies {^i,s'} and 
{-Bs'}, respectively, is given by the link product 

(jW = * A,^s e Lin {Ha^s ^ 'Hb,s) ■ (56) 
The probability of the history s is then given by the trace 
p« = Tr[aP] (57) 
The local state at Bob before the opening is 

Pi'^ = Tr„,. JaW] = * (58) 

where 



R^.s = Tr,^^,, [A^,s\ e Lin (/C, 



(59) 



is the restriction of Alice's comb to the quantum systems 
exchanged in the protocol. 



B. Concealing protocols 

Definition 1 (Concealing protocols) A quantum hit 
commitment protocol is e- concealing if there is at least 
a couple of honest strategies {Aq.s'} S Aq, {Ai^g/} S Ai 
such that the following conditions hold: 



max 



,(1) 



Tr p. 



< e, y{B,,} e B (60) 
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where p^f^ is the unnormalized state on Bob's side pi' 
Bs * R^^s, with Ri^s = Tr-UA.AA,s]- 



As discussed in subsection p^II E , the the above condi- 
tion means that, for any history of classical communi- 
cation, the probability that Bob discriminates correctly 
between i?o,s and Ri^s is e-close to 1/2, the success prob- 
ability of a random guess. 

The concealment condition can be translated in terms 
of combs distances as follows: 

Lemma 3 A protocol is e-concealing if and only if there 
is a couple of honest strategies {^o,s'} o,rid {Ai ^i} such 
that 



max s, i?o,s)lT <e. 
where T, = {T, Tr^^^jB,], G {S,,} e B}. 



(61) 



Proof. Clearly, condition (|60|) holds if an only if 

Wps ~ Ps 1 ^ 

max sup i^^;^ < e, 



B= Tr 



(1) 



(0) 



(62) 



where — {Bg G {Bs'} G B}. Moreover, since the 
set of Bob's strategies is closed under dilation, and since 
dilation improves the discrimination, the supremum can 
be taken over the dilations {Bs'}- Now, denote by Tg the 
dilation of Tg — Tru^ A^s]- Since Bg and Tg are both 
dilations of Tg , they are connected by a partial isometry 
on Bob's ancillae. The same is true for the states pi*-* :— 
Bg * Ri,g, and p^'' := Tg * Ri^g, for each value i — 0,1, 



whence \\pi^^ — pV\\i = Wp^' ~ Pt''IIi- This imphes the 
identity 



^(i)|| -II JO) 



.(i)| 



max sup 



B= Tr[p, 



(1) 



max sup 



^(1) 



.(0) 
Ps 



B. Tr[p, 



pi"'] 



max sup 



(0) 

PtI 



(63) 



(1) 



max d{Ri^g, Rq 



Definition 2 The strategy {A\,} is 5-close to the strat- 
egy {Agi} at the opening if for any strategy {Bgi} G B 
one has 



max ■ 



sill 



Tr a 



< S. 



(65) 



If two strategies are (5-close, Bob cannot distinguish be- 
tween them, even if the history that takes place is the 
most favorable to him. 

Following the same argument used in the proof of 
lemma ^, the notion of (5-closeness can be expressed in 
terms of comb distance as follows: 

Lemma 4 The strategy {A^.,} is 6-close to the strategy 
{Agi} at the opening if and only if 



diAg,A%^ 



Ha., 



<5, 



(66) 



where Tg ® /a,s = {Tg ® Ia^s = T^rn^jBg], Bg e 
{Bgr} € B} and Ia,s denotes the identity on Alice's an- 
cilla Ti.A,s- 

Definition 3 Given two honest strategies {Ag^gi} g Aq 
and {Ai gi} e Ai, a 6-cheating is a couple of strategies 
{Aq^,} and {A\ satisfying the conditions 

1. {A\ ,.,} is 5-close to {A^^g,} for z = 0, 1 

2. for every history s, there exists a quantum channel 
^€g acting on Alice's ancilla space 'Ha,s such that 



A\={^g®^g){Alj, 



(67) 



where ,^g is the identity channel on the Hilbert 
space K,g of all quantum systems exchanged in the 
commitment phase. 

The second condition means that Alice can follow the 
strategy {^Qg/} until the end of the commitment, and 

switch to the strategy {^5 .5} with a local operation on 
her ancillae just before the opening. 



THE IMPOSSIBILITY PROOF 



A. Protocols with bounded number of rounds 



C. Alice's cheating strategies 

Let {As/} and {A^,} be a honest and a dishonest strat- 
egy by Alice, respectively (here we drop the index i = 0, 1 
of the bit value, since it is unnecessary for the following 
discussion). When Bob chooses the strategy {Bgi} e B, 
for history s the unnormalized quantum states before the 
opening phase are 



Theorem 4 // an N -round protocol is e-concealing with 
honest strategies {^o.s} G Aq and {Ai^g} G Ai, then 
there is a \/2e-cheating with cheating strategies {Aq g} 
and {A\^}. In particular, the cheating strategy {Aq 
coincides with the honest strategy {A^^g}. 

Proof. According to Eq. (|6l|), the concealing condi- 
tion is for any history s 



ag^Bg^Ag, al^Bg^Al 



(64) 



d{Ri,g, Ro,s)\j^ < £, 



(68) 
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where Ri^s = ^r-HA,A^i,s] and = {Tg = 

Ti -H^ ^Bs] I Bg e {Bs>} e B}. We now focus on a fixed 

history s, and show the existence of two \/2£-cheating 
strategies {Aq and {A\ ^,}. Since we are fixing s, we 
drop the index s everywhere. 

Since the reduced combs Ri = Tr>^^[Ai] e Lin (/C) sat- 
isfy the condition i?o)|j < £, we can use the conti- 
nuity of dilation stated by Lemma ^, thus finding a ran- 
dom unitary channel V = X]fe Pki^k acting on the ancilla 
space Ha — such that 



d{Ri,{l(S)V)Ro) 



<j2diRi,Ro)\j, (69) 



where R, is the dilation R, = )) | G Lin (/C (g) /Ca). 
Now consider the dilations of the honest strategies 



A,. 



(70) 



Here Ai is an operator in Lin (/C (g) Ha g" ^a) where £a — 
JC ® Ha is an additional ancilla space on Alice's side. By 
definition, i?j = Tr7Y^_£^[Ai]. Since Ai and Ri are both 
dilations of there exist a channel £i sending states on 
(Ji-A ® i^A) to states on ICa such that 



i?, = {IK®£^){A,), 



(71) 



and a channel Ti sending states on JCa to states on {Ha ® 
Ca) such that 

A,^{I^®T,){R,). (72) 
Alice's cheating procedure is then the following: 

• Use the dilated strategy Aq 

• After the commitment decide the bit value. To 
commit 0, do nothing. To commit 1, apply the 
channel — !FiP£o on the ancillae, where V{p) — 

• Discard the additional ancilla Ca ■ 

This procedure defines for every history s the two cheat- 
ing strategies {^S^j/} := {^o,s'} and {Ai^^'} {{J^s' <g 
%,){AI^,)}. Clearly, {A^^,} is V2i-close to {Ao,s'} (in 
fact, they coincide). Regarding {A\ ^,}, for any history s 
(and hence dropping the index) we have 



d{A,,4) 



Tr/ 



(X®.FiP£o)(^o) 



< d(^Ai,{J®TiV£o){Ao) 
= d ((X ® .Fi)(i?i), [I (g J'ir)iRo)) 



T«,Ia 



T(g)lA 



< d{Ri,iI(E)V)iRo) 



<J2 d{Ri,Ro)\j < ^fTe. 



(73) 



Here, the first and the second inequalities derive from 
Lemma |l|, the third one is Eq. ( |69| ) , and the last is the 
concealing condition. ■ 



B. Protocols with unbounded number or rounds 

Here we show how the impossibility result of the previ- 
ous subsection can be easily extended to the case of pro- 
tocols where the number of rounds is unbounded. In this 
case Alice's (Bob's) strategies are still described by collec- 
tions of probabilistic combs {Ag/} and ({B^}), where each 
probabilistic comb represents the sequence of quantum 
operations performed by Alice (Bob) for a given history 
s of classical communication. Note that, although the 
length the strings is no longer bounded by a fixed num- 
ber, any given string s must have finite length. Indeed, 
a protocol allowing an infinitely long history s would be 
a protocol in which sometimes Alice and Bob have to 
continue their communication forever, without reaching 
neither a successful commitment, nor an abort. 

For a protocol with unbounded number of rounds, the 
conditions of ^-concealment and 5-closeness are still given 
by Eqs. (|60| ) and (|6|), respectively. Now, it is imme- 
diate to see that, given an e-concealing protocol with 
unbounded number of rounds, one can always construct 
a new e-concealing protocol with bounded number. In- 
deed, Alice can follow the original unbounded protocol, 
and decide to abort whenever the number of rounds ex- 
ceeds a fixed number N . This change does not change 
the security of the protocol: it just reduces the probabil- 
ity of successful commitment by turning some histories 
that in the original protocol ended in a successful com- 
mitment into histories that end in an abort. For the new 
protocol with finite rounds, however, one can apply the- 
orem^, thus finding a \/2e-cheating for Alice. Since N is 
arbitrary and since for any N the cheating strategy co- 
incides with the honest one up to the opening, Alice can 
take the number N to be sufficiently large to make the 
probability of successful commitment close to the one of 
the unbounded original protocol. 



VI. SUMMARY 

In this paper we have provided a new short impos- 
sibility proof of quantum bit commitment. The present 
proof differs from the previous ones in the following main 
aspects: a) The strategies, including all their "purifica- 
tions" , have a simple and univocal mathematical repre- 
sentation in terms of conditional quantum combs in Eq. 
(^); h) The definition of concealment and bindingness 
are worst-case over histories, namely the conditions on 
cheating probabilities are defined uniformly over histo- 
ries of classical communication rather than on average; 
cj we consider the possibility of restricting the strate- 
gies of Bob to an arbitrary set closed under dilation, and 
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show that if the protocol is conceahng for Bob restricted 
in this way, then it is not binding. Along similar lines it 
is possible to prove the impossibility theorem also with 
cheating probabilities averaged over histories. However, 
the two impossibility theorems are not comparable, since 
worst-case concealment implies concealment in average, 
whereas bindingness in average implies worst-case bind- 
ingness. 

At the end of the paper, we want to stress two points 
regarding abortion probabilities. First, concealment is 
defined regardless abortion, namely Bob must not be able 
to detect the bit value anyway, whether Alice catches him 
or not. Second, in order to cheat Alice has only to play 
the honest strategy {Aq.s'} up to the very last moment 
before the opening, at which point her cheat is anyway 
undetectable by Bob (at the opening Bob's success prob- 
ability in detecting the cheat is at most \/2e-close to the 
success probability of a random guess). Therefore, the 
probability of abort before the opening is independent 
on whether Alice is cheating or not. 
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/(C' ^) (A5) 



Moreover, the function g{T) := svLpf^f^Q f{C, T) is quasi- 
concave, since it is the supremum over one variable of a 
jointly quasi-concave function of (C, T) ||2^. Therefore, 
the infimum of g over T is equal to the infimum over the 
closed convex hull T, and we have 

inf sup /(C, T) = inf '5(T) - inf_'g(r) 



= inf sup/ (C,T) = inf inf sup/(C,r) 
TeT cgc " TeT„ cec 

= inf sup inf /(C,T) > sup inf /(C,r) 
= sup inf 7(C,T), 



(A6) 
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APPENDIX A: PROOF OF MINIMAX 



EQUALITY IN EQ. (|45|) 
Lemma 5 Let f be the function from C x T to . 
/(C,r) = Re((vl/W|vI/(°) 



T,C// 

{{rI\t-^c\rI)) 



Tr[r-(i?o + i?i)] 
where Ri > 0. Then one has the identity 

inf ' sup /(C, T) = sup inf '/(C, T), 



(Al) 
(A2) 

(A3) 



where the infimum over T is taken over the set of tester 
operators TeT such that Tr[T'^(i?o + Ri)] ^0. 

Proof. Let T be the closure of the convex hull of T. 
Since we are in finite dimensions, T is a compact set. 
Define the compact convex set T„ as 



Tn -.^ {T \Tr[T^R„+Ri)]>- 



having used that f{C,T) is quasi-concave in T for any 
C, whence the infinum ove T is equal to the infimum 
over T. In fact, the above bound is achieved: For any 
e > 0, and for any C G C, there is an element Tc € T 
such that f{C,Tc) < inf'j,^jf{C,T) + e/2. Moreover, 
since / is continuous in its domain, there exist two open 
sets Ac Q C and Btq ^ T such that for C € Ac and 
T' e Btc one has f{C',T') < f{C,Tc) + e/2. Now, 
the open sets {Ac} form an open cover of C. Since C 
is compact, one can extract from {^c} a finite subcover 
{j4c. }. Finally, for any i there is a number such that 
the intersection between i?Tc ^^^d is non empty. Let 
us define — maxjni}. Then we have 

sup inf/(C,r)< sup inf /(C,T) 

</(C„rcJ+£/2< inf7(C„T) + e (A7) 
< sup inf 7(C,T) -he. 

C TGT 

Since the sets {^C;} cover C, this implies 

supcGcinfT„7/(C.T')) < supcgcinfTeT/(C>^) + 
whence 



(A4) 



inf ' sup f(C. T) = inf sup inf /(C, T) 
< sup M'f{C,T)+s. 



(A8) 



We now restrict / to the set T„ and apply Sion's min- 
imax theorem [E8|. The hypotheses of the theorem are 
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